PolicyMaker
description
Transcript of PolicyMaker
PolicyMaker Presentation
PolicyMakerPolicyMaker
Vishwas Patil, TIFR. 2/16PolicyMaker Presentation
PolicyMaker: “?”PolicyMaker: “?”
Aim:- An attempt to solve the need to find a suitably trustworthy copy of the public-key of someone with whom one wants to communicate.
A language / tool in the development of services whose main goal is privacy and authenticity.
A unified approach to specifying and interpreting security policies, credentials, and relationships that allows direct authorization of security-critical actions
Vishwas Patil, TIFR. 3/16PolicyMaker Presentation
PolicyMaker: General PrinciplesPolicyMaker: General Principles
Unified mechanism:- provides a common language for policies, credentials, and relationships.
Flexibility:- succinctness, the framework accommodates the PGP & X.509 certificates with trivial modifications.
Locality of control:- avoids the monolithic hierarchy of certifying authorities.
Separation of mechanism from policy:- credentials verification mechanism does not depend on credentials themselves or the semantics of the applications that use them.
Vishwas Patil, TIFR. 4/16PolicyMaker Presentation
PolicyMaker: ApproachPolicyMaker: Approach
1. Obtain certificates, verify signature, determine public-key of original signer.
2. Verify that certificates are unrevoked.3. Find trust-path from certifiercertificate.4. Extract name from certificates.5. Database look-up for NameAction mapping.6. Determine whether requested action is legal
according to local policy and then proceed.
Vishwas Patil, TIFR. 5/16PolicyMaker Presentation
PolicyMaker: Approach PolicyMaker: Approach ContinuedContinued
Steps 1, 2, 3, 4 can be supported by a PKI.
nameactions mapping can represent as much of a security risk as keynames, yet certificates don’t help the application map names to actions.
trust management engine:- accepts requests, certificates, local policy and satisfies steps 5 and 6.
Vishwas Patil, TIFR. 6/16PolicyMaker Presentation
PolicyMaker: Approach PolicyMaker: Approach ContinuedContinued
PolicyMaker binds public-keys to predicates that describe the actions they are trusted to sign for.
PolicyMaker’s ability to express security credentials and policies without requiring the application to manage a mapping between personal identity & authority is especially convenient in systems that include anonymity as a security requirement.
Vishwas Patil, TIFR. 7/16PolicyMaker Presentation
PolicyMaker: Approach PolicyMaker: Approach ContinuedContinued
PolicyMaker provides ways to express conditions under which an individual or an authority is trusted and conditions under which trust may be deferred.
PolicyMaker allows implementations of standard security policies and credentials developed for one application to be reused in others.
Vishwas Patil, TIFR. 8/16PolicyMaker Presentation
PolicyMaker: ArchitecturePolicyMaker: Architecture
Separates generic mechanism from application-specific policy.
It accepts as input a set of local policy statements, a collection of credentials, and a string describing a proposed trust action.
On evaluation of policy statements and credentials, it can return either yes / no or additional restrictions that would make the proposed action acceptable.
Can be integrated with application or run separately.
Vishwas Patil, TIFR. 9/16PolicyMaker Presentation
PolicyMaker: Architecture PolicyMaker: Architecture ContinuedContinued
Policies & credentials are defined in terms of predicates (filters), associated with public-keys.
filters accept/reject action descriptions based on what the holders of corresponding secret keys are trusted to do.
In case of deferred trust, the extent to which trusted-third-parties are trusted can be specified.
Credentials themselves may also contain filters that limit the actions their holder is trusted to perform.
Vishwas Patil, TIFR. 10/16PolicyMaker Presentation
PolicyMaker: Architecture PolicyMaker: Architecture ContinuedContinued
The form of action descriptions (action strings) is not determined by or known to the system itself.
It is up to the application to generate & interpret the strings and up to the filters to accept / reject them.
An application calls PolicyMaker after it has composed an action string and determined the auth. identifier from which the requested action originated.
PolicyMaker then determines whether the action string is permitted according to the local policy and credentials.
Vishwas Patil, TIFR. 11/16PolicyMaker Presentation
PolicyMaker: LanguagePolicyMaker: Language
Basic function of a PolicyMaker system is to process queries.
A query is a request to determine whether a particular public-key (or their sequence) is permitted to perform a particular action according to local policy
e.g. ActionString are application-specific and their
semantics is determined by the applications that generate and interpret them.
key1, key2,…… keyn REQUEST ActionString
Vishwas Patil, TIFR. 12/16PolicyMaker Presentation
PolicyMaker: LanguagePolicyMaker: Language
PolicyMaker processes queries based on trust information contained in assertions.
assertions confer authority on keys. Each assertion binds a predicate (filter) to a
sequence of public-keys (authority structure). e.g. Source indicates the source of the assertion. AuthorityStruct specifies the public-keys to whom
the assertion applies.
Source ASSERTS AuthorityStruct WHERE Filter
Vishwas Patil, TIFR. 13/16PolicyMaker Presentation
PolicyMaker: Language PolicyMaker: Language ContinuedContinued
Each assertion states that the assertion source trusts the public-keys in the authority structure to be associated with action strings that satisfy the filter.
Types of assertions:- Certificates (signed assertions) Policies (unsigned) – just a special case of certificates.
On any given system, the set of local policies forms the “trust root” of the machine and defines the context under which all queries are evaluated
Vishwas Patil, TIFR. 14/16PolicyMaker Presentation
PolicyMaker: Query SemanticsPolicyMaker: Query Semantics
A query is a request for information about the trust that can be placed in a particular (sequence of) public key(s).
A PolicyMaker system must have at least one policy assertion before it can process queries.
To process a query, the PolicyMaker system must find a chain v1 v2 ··· vt in D (in which the vertices => keys / policy sources & arcs => filters) in which v1 is a local policy source and vt = k.
Vishwas Patil, TIFR. 15/16PolicyMaker Presentation
PolicyMaker: ExamplesPolicyMaker: Examples
policy
ASSERTS
pgp:”xyz123”
WHERE PREDICATE=regexp:” (From: vtp) && (Organization: PKI Labs)”;
pgp:”xyz123” REQUESTS “From: vtp
Organization: PKI Labs”;
pgp:”xyz123” REQUESTS “From: bob
Organization: RSA Labs”
Vishwas Patil, TIFR. 16/16PolicyMaker Presentation
PolicyMaker: DiscussionPolicyMaker: Discussion
Advantages / Disadvantages Evaluation: simplicity, expressiveness, generality,
extensibility